CVE-2025-13855 PUBLISHED

IBM Storage Protect Server is affected by a vulnerability that could allow authenticated users to access administrative metadata through the JSON-RPC endpoint .

Assigner: ibm
Reserved: 01.12.2025 Published: 01.04.2026 Updated: 01.04.2026

IBM Storage Protect Server 8.2.0 IBM Storage Protect Plus Server is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
CVSS Score: 7.6

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	IBM
Product	Storage Protect Server
Versions	Version 8.2.0 is affected

Solutions

Affected VersionsFixing LevelPlatformRemediation/Fix/Instructions8.1.0.000 - 8.2.0.xxx8.2.1AIX Linux WindowsInstructions for downloading the update: https://www.ibm.com/support/pages/node/7266171

References

https://www.ibm.com/support/pages/node/7267783

Problem Types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE